maemo.org - Talk - [SECURITY] Another compromised Certificate Authority

maemo.org - Talk (https://talk.maemo.org/index.php)

- General (https://talk.maemo.org/forumdisplay.php?f=7)

- - [SECURITY] Another compromised Certificate Authority (https://talk.maemo.org/showthread.php?t=88535)

[SECURITY] Another compromised Certificate Authority

Beware:

http://googleonlinesecurity.blogspot...-security.html

Fremantle Community SSU will issue an update ASAP.

Maybe Harmattan users should call Nokia Support for an update. Or it is HiFo that should do that, I don't know. Please someone from the HiFo board comment on what should Harmattan users do (in light of the "email to elop" concerns)

Re: [SECURITY] Another compromised Certificate Authority

Quote:

Originally Posted by freemangordon (Post 1311223)

Beware:
Maybe Harmattan users should call Nokia Support for an update. Or it is HiFo that should do that, I don't know. Please someone from the HiFo board comment on what should Harmattan users do (in light of the "email to elop" concerns)

I already tried, but I doubt this would suffice. More people should mention this... no, SHOUT and B*TCH about this. Nokia's negligence so far isn't acceptable, IMNSHO.

Meanwhile, since I have incepted my device I tried to fix it myself:

Code:

~ $ ariadne mv /etc/ssl/certs/d937b34e05fdd9cf9f1216aeb6892feb253a881c.pem /etc/ssl/certs/d937b34e05fdd9cf9f1216aeb6892feb253a881c.pem.donttrust

This should disable the TURKTRUST certificate on the N9. But I still get an "access denied" :( Also, this might be under the protection of Aegis (which would be a good thing) and thus might lead to a MALF next boot. My Linux-fu isn't high enough to know how to fix it... Perhaps someone else can?

Re: [SECURITY] Another compromised Certificate Authority

ssl certs are not under aegis protection
just enter full credentials mode by "ariadne sh" and then move/delete untrusted cert

Re: [SECURITY] Another compromised Certificate Authority

if you want the 'proper' way to remove it, then the right command would be:

opensh -c "acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -r d937b34e05fdd9cf9f1216aeb6892feb253a881c"

This assumes that you have installed opensh with all the capas. You can run the acmcli with all capa inception shell too.

Re: [SECURITY] Another compromised Certificate Authority

Thanks rainisto, that fixed it :)

The aegis-certman-common-ca package installed the certificates into /usr/share/aegis-certman-common-ca, any idea if that is used for something? The turktrust certificate over there can be (re)moved using more conventional ways tho.

Re: [SECURITY] Another compromised Certificate Authority

you don't need to remove any files after running that acmcli command. They will not be used by harmattan system.

Re: [SECURITY] Another compromised Certificate Authority

Is it a coincidence this cert is the first in the Certmanager list?

Can certs be revoked manually on N900?

Re: [SECURITY] Another compromised Certificate Authority

Is opensh needed? or is open mode + devel-su + develsh enough?

Re: [SECURITY] Another compromised Certificate Authority

Quote:

Originally Posted by casketizer (Post 1311362)

Is it a coincidence this cert is the first in the Certmanager list?

No, it is due to the cert name begins with "(".
You may check with

Code:

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Quote:

Originally Posted by casketizer (Post 1311362)

Can certs be revoked manually on N900?

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.

Quote:

Originally Posted by rainisto (Post 1311267)

if you want the 'proper' way to remove it, then the right command would be:
opensh -c "acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -r d937b34e05fdd9cf9f1216aeb6892feb253a881c"

For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)

Simple script/guide to remove fraudulent CAs:

Code:

#!/bin/sh

#removing fraudulent CAs



echo enter the cert\(ifier\) You are looking for:

read cert

cmcli -T common-ca -L | grep "$cert"



echo now copy the full cert ID ...

read nothing



echo and give it as input \(for removal\)

read certID



if [ `id -u` != 0 ] ; then

    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old

    sudo cmcli -c common-ca -r $certID

else

    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old

    cmcli -c common-ca -r $certID

fi



echo now open microb and goto

echo chrome://pippki/content/certManager.xul 

echo and delete the cert also there in the CA manager

read nothing



dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

Quote:

~ $ cmcli -T common-ca -L | grep "TÜRK"
c126ef0d847fc578cabfa616229289c42af952e7 TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
d937b34e05fdd9cf9f1216aeb6892feb253a881c TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı

and also in browsers

Quote:

chrome://pippki/content/certManager.xul

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...

Re: [SECURITY] Another compromised Certificate Authority

https://blog.mozilla.org/security/20...t-certficates/

According to this page Mozilla is revoking both certificates, so there's no reason why we should not.